* Mon Aug 26 2024 John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 1.5.1
* Add performance regression tests in CI (#4701)
* feat: JA4 fingerprinting (#4669)
* Clarify s2nc/s2nd PQ output (#4702)
* fix: building for AL2 (#4679)
* ci(nix): Startup/configure apache for renegotiate test under nix (#4592)
* fix: Initial config influences client hello parsing (#4676)
* Add s2n_signature_preferences_20240521 (#4565)
* New s2n core member (#4707)
* Modify regression threshold to configurable percentage (#4698)
* chore: remove unused benchmarks (#4696)
* docs: add pq to usage guide (#4677)
- from version 1.5.0
* chore: Rust bindings bump v0.3.0 (#4697)
* Merge commit from fork
* fix: upload fuzz output to s3 when test fails (#4694)
* fix(ci): partially revert checking out head from current clone. (#4693)
* Enabling differential performance benchmarking (#4667)
* chore: document OpenSSL-FIPS restriction on RSA key size (#4654)
* ci: store fuzz artifacts in s3 (#4678)
* feat: Changes ticket encryption scheme to be nonce-reuse resistant (#4663)
* chore: Bump rust bindings to 0.2.11 (#4690)
* fix(bindings): enforce waker contract on `poll` operations (#4688)
* docs: update blinding docs (#4686)
* fix: zip corpus files before uploading to s3 (#4685)
* Adopt CBMC 6.1 and cbmc-viewer 3.9 (#4661)
* test(cbmc): add stuffer hex proofs (#4659)
* fix: don't fail for 0 blinding delay (#4671)
* chore(bindings): release 0.2.10 (#4683)
* feat(bindings): Add hyper compatibility crate (#4617)
* refactor: switch JA3 to use stuffer hex methods (#4662)
* fix: SSLv3 handshake with openssl-1.0.2-fips fails (#4644)
* feat(bindings): add renegotiate to the rust bindings (#4668)
* ci: move fuzz corpus to S3 (#4665)
* fix: default s2nc should accept default s2nd cert (#4670)
* fix: add missing corpus files for s2n_deserialize_resumption_state_test (#4672)
* refactor: clean up other hex methods (#4664)
* Set up regression benchmark for scalar performance (#4649)
* ci(nix): Setup a head build for the cross_compatibility integ test (#4567)
* fix: new clippy lints (#4666)
* fix: allow for clock skew in resumption (#4650)
* fix: Refactor some s2n_resume functions (#4648)
* fix: pin tokio-macros version (#4658)
* refactor: move stuffer hex methods out of testlib (#4653)
* Fri Jul 26 2024 John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 1.14.18
* chore: Bump Rust bindings v1.4.18 (#4656)
* fix: Removing new usage of memcmp (#4657)
* Merge commit from fork
* Update s2n_connection_get_kem_group_name() to
work with ClientHelloRetries (#4652)
* fix: avoid cert validation on connection_set_config (#4612)
* ci: add merge_group event to GHA workflow. (#4646)
* feat: Add API to gate session tickets to TLS1.3 only (#4645)
* feature: reusable fingerprinting interface (#4628)
* refactor(bindings/s2n-tls): finish test harness refactor (#4636)
* test(pcap): handle pcaps with tcp fragmentation (#4643)
* Refactor: change is_available return type to
bool in s2n_cipher struct (#4630)
* Refactor: change init and destroy_key return type to
S2N_RESULT in s2n_cipher struct (#4639)
* Refactor: change set/get_decryption_key return type to
S2N_RESULT in s2n_cipher struct (#4638)
* chore: document why SHA1 is the only supported hash algorithm
for cert_id generation in OCSP response (#4625)
* ci(nix): Add tshark to nix devshell (#4571)
* refactor: use feature probe for AEAD gate logic instead of
AWS-LC/BoringSSL macros (#4642)
* api(bindings/s2n-tls)!: remove public testing feature (#4623)
* chore(bindings): release 0.2.8 (#4635)
* feat(bindings/s2n-tls): add client_hello_version (#4609)
* fix: remove S2N_NO_PQ option (#4622)
* chore: fix CBMC proof summary count (#4627)
* refactor: separate out ja3 specific logic (#4578)
* Tue Jul 09 2024 John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 1.4.17
* bug: Fixing bash error (#4624)
* chore: make cbmc proof build more strict by adding -Werror flag (#4606)
* Perform 2-RTT Handshake to upgrade to PQ when possible (#4526)
* test(bindings/s2n-tls): refactor testing::s2n-tls tests (#4613)
* docs: add timeout note to blinding delay docs (#4621)
* docs: Add back suggested FIPS + TLS1.3 policy (#4605)
* ci: shallow clone musl repo (#4611)
* example(bindings): add async ConfigResolver (#4477)
* chore: use CBMC version 5.95.1 (#4586)
* s2n-tls rust binding: expose selected application protocol (#4599)
* test: add pcap testing crate (#4604)
* testing(bindings): add new test helper (#4596)
* chore(bindings): fix shebang in generate.sh (#4603)
* fix(s2n_session_ticket_test): correct clock mocking (#4602)
* Fix: update default cert chain for unit tests (#4582)
* refactor(binding): more accurate naming for const str helper (#4601)
* fix: error rather than empty cipher suites (#4597)
* chore: update s2n_stuffer_printf CBMC harness (#4531)
* ci(nix): Fix integ pq test in a devShell (#4576)
* feature: new compatibility-focused security policy preferring ECDSA (#4579)
* compliance: update generate_report.sh to point to compliance directory (#4588)
* ci: fix cppcheck errors (#4589)
* chore: cleanup duplicate duvet citations (#4587)
* Tue Jun 11 2024 John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 1.4.16
* Merge pull request from GHSA-52xf-5p2m-9wrv
* chore(bindings): release 0.2.7 (#4580)
* fix: Validate received signature algorithm in EVP verify (#4574)
* refactor: add try_compile feature probe for RSA-PSS signing (#4569)
* feat: Configurable blinding (#4562)
* docs: document s2n_cert_auth_type behavior (#4454)
* fix: init implicit iv for serialization feature (#4572)
* [Nix] adjust pytest retrys (#4558)
* fix: cert verify test fix (#4545)
* fix: update default security policies (#4523)
* feat(bindings): Associate an application context with a Connection (#4563)
* chore(bindings): version bump (#4566)
* Additional test cases for s2n_constant_time_equals() (#4559)
* test: backwards compatibility test for the serialization feature (#4548)
* chore(bench): upgrade rustls (#4554)
* Tue Jun 04 2024 John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 1.4.15
* bug(nix:corretto): use autoPatchelfHook on all systems and ignore als… (#4561)
* feat(bindings): Add API to check for resumption (#4552)
* fix: Send zero-length NST when session key is expired (#4532)
* feat: add key preferences to rfc9151 policy (#4540)
* chore: bindings release 0.2.5 (#4551)
* refactor: Avoid unnecessary s2n_hmac calls in s2n_record_write (#4539)
* feat: Modify s2nd/c to do serialization/deserialization (#4533)
* Mon May 13 2024 John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 1.4.14
* fix: Increase received signature scheme limit (#4544)
* fix: Fix a bug in tls1.3 code path (#4513)
* ci: grep for S2N_RESULT_ERR without setting s2n_errno (#4534)
* style(bindings): fix new clippy lints (#4536)
* bin: tool to print security policies (#4524)
* feat[bindings]: fips feature flag (#4527)
* feat: set certificate_authorities from trust store (#4509)
* Wed May 08 2024 John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 1.4.13
* chore(bindings): release 0.2.4 (#4530)
* nix gdb/lldb utils (#4460)
* binding: Add s2n_connection_get_session on the Connection (#4522)
* chore: update s2n-core team (#4520)
* fix: Python integ tests are flaky on arm (#4512)
* ci: Nix libcrypto helpers (#4422)
* ci: Remove actions-rs (#4514)
* chore(bindings): Pin `zeroize` to avoid MSRV increase (#4519)
* feat: add missing numbered security policies (#4511)
* docs(bindings): fix client hello doc tests (#4495)
* docs: add more warnings about security policy defaults (#4507)
* feat: add basic support for certificate_authorities (#4506)
* fix: Fix redundant code (#4504)
* chore: Rust bindings bump v1.4.12 (#4505)
* fix(sidetrail): Invalid stream cipher struct in proof wrapper (#4484)
* refactor: rename error + extension iana for consistency (#4503)
- from version 1.4.12
* feat: Serialization Rust APIs (#4493)
* refactor: combine TLS1.2 and TLS1.3 sig scheme representations (#4498)
* feat: Release C APIs for serialization (#4501)
* fix: Wipe conn->in on all record parse failures (#4499)
* Mon Apr 15 2024 John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 1.4.11
* chore(bindings): release 0.2.2 (#4497)
* feat(binding): add key update request api (#4469)
* tests: Serialization feature with post-handshake features (#4489)
* fix: add missing TLS1.3 p521 sig schemes (#4496)
* fix: correct broken early data test (#4494)
* fix: better errors for all client auth failures (#4492)
- from version 1.4.10
* feat: add s2n_peek_buffered (#4490)
* feat: reduce read syscalls to improve performance (#4485)
* feat: connection serialization (#4468)
* chore(bindings): release 0.2.1 (#4486)
* fix(bindings): print cargo commands to stdout (#4482)
* Thu Apr 04 2024 John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 1.4.9
* New TLS1.2-only variant of 20230317 policy (#4483)
* ci: add asan runs under gcc (#4402)
* fix: Adds non_exhaustive flag to FingerprintType
* fix: refactor rust bindings fingerprint methods (#4474)
* example(bindings): client hello cb example (#4385)
* feat: getter for TLS1.2 master secrets (#4470)
* bindings: ensure CFLAGS includes come after build script includes (#4475)
* bindings: mark Connection as Sync (#4467)
* Make S2N_CERT_AUTH_OPTIONAL the default for clients (#4390)
* fix(test): narrow valgrind suppressions (#4369)
* fix: pedantic memory leak in handshake test (#4463)
* chore(bindings): release 0.1.7 (#4462)
* Fri Mar 22 2024 John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 1.4.8
* feat: Add additional EC key validation for FIPS (#4452)
* refactor: UBSAN build and address out of bound reads (#4440)
* Add s2n_stuffer_shift (#4458)
* style: fix declarations without initial value (#4404)
* feat: Add FIPS mode getter API (#4450)
* remove unnecessary includes (#4451)
* refactor: clang-tidy null deref and undefined mod (#4436)
* refactor: make memmove vs memcpy behavior clearer (#4447)
* fix(bindings): Apply with_system_certs to Config builder (#4456)
- from version 1.4.7
* api: add key update request functionality (#4453)
* style: manual initial value fix (#4449)
- from version 1.4.6
* docs: Specify the return value of S2N_FAILURE for IO APIs (#4446)
* refactor: enforce stuffer return check (#4399)
* refactor: fix unread variable warnings (#4405)
* fix: Unsets global libcrypto rand (#4424)
* Relax HRR consistency requirements for second client hello (#4429)
* fix: prevent enabling ktls with a buffered record header fragment (#4426)
* feat: add cert key preferences (#4434)
* chore: bindings bump 0.1.6 (#4437)
* test: add cert chain with mixed key sizes (#4433)
* feat: apply cert signature preferences locally (#4407)
* docs: Extend license check to .rs files (#4428)
* fix(test): fix dangling pointers in cert verify test (#4430)
* Add Rust bindings for certificate chains (#4398)
- from version 1.4.5
* fix: parse fragmented sslv2 client hellos (#4425)
* chore(ci): Give OpenBSD CI job a performance boost (#4427)
* fix: s2n_shutdown should handle partial records (#4421)
* feat: Server name getter for client hello (#4396)
* refactor: zero static s2n_configs on cleanup (#4416)
* Removed unused dependencies (#4417)
* chore(bindings): release 0.1.5 (#4420)
* chore(bindings): release 0.1.4 (#4418)
* bindings: use aws-lc-rs instead of aws-lc-sys (#4415)